DPDP Act

Introduction to India’s Digital Personal Data Protection (DPDP) Act,2023

In this article, I am going to tell you about the Digital Personal Data Protection Act, 2023 (“DPDP Act”) of India. I will provide some key highlights of this act in simple language.

In my last column, I had briefly explained the importance of personal data, privacy, leakage and penalties. In today’s article, I am going to tell you about the Digital Personal Data Protection Act, 2023 (“DPDP Act”) of India, which came into force on August 11, 2023. It is a comprehensive privacy and data protection law and all other related laws, rules and regulations have to follow the provisions of this Act. This law completes a seven-year journey that began in 2017 when the Supreme Court of India ruled in the Aadhaar case that the right to privacy is protected under the Constitution of India.
This is the digital age, which means with the rise of social media and various applications, our personal details are scattered everywhere in the digital world. Many people do not realize that the ‘Allow’ option that is asked initially when downloading apps is the biggest thief of our information. That is, when you download an app from a company on your mobile, it also asks for permission to access other sections like camera, gallery, contact, GPS. If you allow this, all your personal information is uploaded by those companies to their servers. We do not even realize that those companies sell this information for money in elections, business or any other situations. The central government has enacted the DPDP Act to expose this misuse, suffering and confusion.

Highlights of the DPDP Act :-

  • Applicability : The DPDP Act applies to all information that is originally online or offline and later digitized in India. In addition, this Act applies to the processing of digital personal information beyond the borders of India, when it involves providing goods or services to individuals within Indian territory.
  • Personal Information Breach Definition : This Act applies when the confidentiality, integrity or availability of personal information is compromised by any unauthorised processing or accidental disclosure, acquisition, sharing, use, alteration, destruction or alteration of personal information.
  • Individual consent to use information and information rights : Under the new legislation, personal information will only be used and processed with the express consent of the individual, unless there are specific circumstances relating to national security, law and order.
  • Rights and duties of data principal:  An individual whose data is being processed (data principal), will have the right to: (i) obtain information about processing, (ii) seek correction and erasure of personal data, (iii) nominate another person to exercise rights in the event of death or incapacity, and (iv) grievance redressal.  Data principals will have certain duties.  They must not: (i) register a false or frivolous complaint, and (ii) furnish any false particulars or impersonate another person in specified cases.  Violation of duties will be punishable with a penalty of up to Rs 10,000.
  • Obligations of data fiduciaries :  The entity determining the purpose and means of processing, (data fiduciary), must: (i) make reasonable efforts to ensure the accuracy and completeness of data, (ii) build reasonable security safeguards to prevent a data breach, (iii) inform the Data Protection Board of India and affected persons in the event of a breach, and (iv) erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation).  In case of government entities, storage limitation and the right of the data principal to erasure will not apply.
  • Transfer of personal data outside India : The Act allows transfer of personal data outside India, except to countries restricted by the central government through notification.  
  • Establishment of the Information Protection Board : The Information Protection Board will act as an impartial adjudicating body responsible for resolving privacy-related grievances and disputes between the parties concerned.
  • Offences and Penalties : Data custodians (institutions) can face a fine of up to Rs 250 crore for failure to comply with the provisions. Complainants can be fined up to Rs 10,000 for false or malicious complaints.
  • Exemptions : Notified agencies are exempted from data breaches for the purposes of security, sovereignty, public order etc., for research, archiving or statistical purposes, for the enforcement of legal rights, for the exercise of judicial or regulatory functions, for the prevention, detection, investigation or prosecution of offences and for tracing defaulters and their financial assets etc.

Published by admin

Please check about me page

Leave a Reply

Your email address will not be published. Required fields are marked *